Blumira's New ITDR and EDR Response Actions
When a threat is confirmed, every second matters. For most IT and security teams, though, the path from detection to containment involves a frustrating number of manual steps: confirm the finding, pivot to a separate tool, track down the right access, wait for approvals, and hope the attacker hasn't already moved on. Blumira's new ITDR and EDR response actions close that gap by putting containment directly inside the platform, right where the finding is.
The Problem with Tool Sprawl During an Incident
Most mid-market organizations don't have a dedicated SOC or a team of incident responders on standby. What they have is an IT admin or a small security team managing Active Directory, cloud identities, endpoints, and an alert queue all at the same time. That's a lot to juggle on a normal day. When something critical hits, adding a context switch to a separate EDR console or manually navigating the Entra admin portal to revoke a session burns time you don't have. The problem isn't that teams don't know what to do. It's that it takes too long to actually do it.
What's New
Blumira now surfaces response actions directly in the finding. When a detection fires, you can act without leaving the platform. Here's what's available now, with more to come:
EDR actions (endpoint level):
ITDR actions (identity level):
- Disable AD User
- Disable User and Revoke Sessions (Entra and on-premises)
Real Scenarios Where This Saves Time
Business email compromise is one of the most common and costly incidents security teams deal with. An attacker gets into a Microsoft 365 account through a phishing link, quietly sets up forwarding rules, and starts poking around SharePoint. Under the old workflow, confirming the compromise and then actually revoking the attacker's access could take 30 to 60 minutes, between navigating the Entra portal, locating the right account, disabling it, and manually invalidating active sessions.
With the Disable User and Revoke Sessions action in Blumira, that entire process collapses into a single click on the finding. The account is disabled, and every active session is invalidated across cloud and on-premises environments at the same time.
Ransomware precursors are another good example. If an attacker drops a credential file and starts running reconnaissance tools on an endpoint, Blumira can detect both. A responder can Delete File, Kill Process, and Isolate Host all from the same screen without opening a second tool. That kind of speed is the difference between catching something early and doing full incident recovery.
Built For You
If you're an IT admin at a company without a large security team, you're probably the person who investigates detections and does the containment work. Having to maintain separate tool access, remember different workflows, and coordinate response steps across platforms adds cognitive load at exactly the wrong moment. These actions are designed to reduce that friction. You see the finding, you understand the context, and you can act on it without switching contexts or waiting on someone else. With Blumira, you can take on flagged detections and take action on them quickly and independently, but at the same time, you don't have to do it alone.
See how we can help you take on threats here.
See It in Action
Here's a walkthrough of these new response actions in action, running against live scenarios. You'll see how registry persistence, privilege escalation, cleartext credentials sitting on a desktop, PowerShell download invocations, and a rogue AD user synced to Entra are detected and contained from inside the finding. Seven minutes, six scenarios, zero time wasted.
